Personal info security breach stings Seattle archdiocese

The Seattle archdiocese, the FBI and the IRS are working to determine the scope and source of a security breach that surfaced after discovery of false tax returns filed in the names of archdiocesan, school and parish employees and volunteers.

Meanwhile, an increasing number of those employees and volunteers are spending long wait times in IRS and credit bureau phone queues trying to sort out if -- or to what extent -- hackers might have used their personal information.

Even if that data has not been used to date, it could still find its way into varied forms of identity theft down the road, many fear.

In a letter Thursday to "pastors, pastoral leaders and school administrators," Archbishop J. Peter Sartain offered "prayer and empathy for experiencing personal disruption, anxiety and in some cases serious fraud."

"One hears about this kind of scam but hopes it never touches us personally," he wrote. "Now that it has, I want you to know how sorry I am that this is happening and offer my assurances that we are doing all in our power to get to the bottom of it, with the assistance of experts and law enforcement."

The Seattle Times on March 12 quoted archdiocesan spokesman Greg Magnoni as saying personnel in at least three parishes as well the chancery had been victimized.

It was unclear if any fraudulent tax refunds had actually been issued and cashed.

Seattle's KIRO-TV reported that "several Catholic schools adjusted their schedules" on Friday to allow their staffs to "deal with any fraud." Among them, Bishop Blanchet High School recessed early and O'Dea High School canceled classes altogether.

KIRO-TV also said "as many as 90,000 staff and volunteers in Western Washington" might be vulnerable to the leak. No source was cited for the estimate.

There are 579,500 registered Catholics in the archdiocese, according to its website.

The archdiocese has hired the forensic security firm Stroz Friedberg "to assist us in analyzing the situation," the Web notice stated.

Magnoni told The Seattle Times that initially it appeared fallacious tax returns were confined to one parish. Chancellor Mary Santi sent a memo to parishes March 7 saying that "it was presumed to be a local issue," the Times reported.

"It kind of mushroomed from there," Magnoni told the Times. "When the announcements went out, people began checking their returns, and more individuals from different parishes and the chancery discovered it as well."

Magnoni told the Times that pinpointing the breach might be difficult because the archdiocese has several databases with various forms of information. He noted that potential entry sites could be a parish, school or vendor.

"It's hugely complex," he added.

So is addressing the myriad ways the leaked information might be used, according to some who have been impacted.

An unpaid coordinator of volunteers at one parish who asked not to be named told NCR the IRS said three attempts had been made to file fraudulent tax returns using the source's Social Security number and other personal information. Luckily, various factors flagged the attempts as bogus.

The IRS agent told the source that 87 of the previous 90 calls were related to the Seattle archdiocesan security case.

The source said the roughly 50 volunteers under their supervision had been required by the archdiocese to take its training on the protection of "vulnerable populations" such as children or the homeless. Required background checks solicited Social Security numbers and other personal information.

"That is where I am up in arms," the source said. "We promised them their Social Security numbers would be safe."

The source described initial parish attempts to alert potential victims as "not fast enough and not enough. I don't think they understood the depth and ramifications of this. Some of these volunteers are not even members of our parish community."

To further protect information, the source followed advice to purchase an identity theft monitoring program through the credit auditing firm Equifax, which costs $299 annually. "According to our accountant, we will have to be doing this the rest of our lives. You just do not know where this information is being sold. They could apply for loans in my name, and then default. It is so easy once you have the information."

Self-described as an experienced administrator who can "put on a hard shell" and deal with challenges presented by the security breach, the source expressed concern about "older persons, for example, who do not have this background," who volunteered for ministry only to perhaps find themselves tangled in an identity theft web.

According to Seattle's KING 5 News, an estimated 100 people attended a meeting at Holy Rosary School in West Seattle Sunday evening to learn more about the security breach from archdiocesan and IRS officials. The officials also sought information from participants. Media were excluded from the gathering.

"Administrators at several schools, along with the victims themselves, tell KING 5 at least 80 people from six different parishes across the Puget Sound had their tax returns falsely filed," said a report on the television outlet's website.

The archdiocese's online statement also urged "all employees and volunteers" to take several steps "as soon as possible," including:

Before you can post a comment, you must verify your email address at Disqus.com/verify.Comments from unverified email addresses will be deleted.

Be respectful. Do not attack the writer. Take on the idea, not the messenger.

Don't use obscene, profane or vulgar language.

Stay on point. Comments that stray from the original idea will be deleted. NCR reserves the right to close comment threads when discussions are no longer productive.

We are not able to monitor every comment that comes through. If you see something objectionable, please click the "Report abuse" button. Once a comment has been flagged, an NCR staff member will investigate.